Insecure outbound traffic FAQs

By June 20th 2018, we will be dropping support for several categories of insecure network traffic for Adobe Sign. This is required to meet specific requirements for PCI compliance.

FAQ

What type of network traffic is affected by the new encryption rules?

All Traffic:

INBOUND

Inbound traffic refers to connections made from a client to our servers. We will stop supporting unencrypted connections to our APIs -- that is, requests that use "http:" rather than "https:".

Once we've made this change, customer and partner applications will fail on attempts to establish unencrypted connections. The error behavior will be application-specific.

Error messages:

The error will be specific to the application but could be reported as a network connection error.

To correct this, customers must change their applications to specify "https:" URLs. Their clients must also support TLSv1.2. (As of April 9, that is the only version of SSL/TLS that our servers accept.)

OUTBOUND

Outbound traffic refers to connections made from our servers back to customer-specified servers. There are two categories:

• Upload callbacks for document uploads (described here for our REST API, but also applies to the legacy SOAP API)

• Status callbacks to notify the customer of a change in agreement status (described here for our REST API, but also applies to the legacy SOAP API)

For both categories of callbacks, we will stop supporting:

a. Unencrypted connections (using "http:" rather than "https:" URLs)

b. Connections to servers that do not support TLSv1.2 (in other words, TLSv1.0 and TLSv1.1 will no longer be supported)

c. Connections to servers that have invalid certificates. This includes certificates that are self-signed or expired, as well as cases in which a URL uses an IP address rather than a hostname.

Error messages:

• Upload callback: The upload should return an API error.

• Status callbacks:

To correct this:

• In partner/customer Sign applications, the URLs specified for callbacks must use "https:" rather than "http:". The URLs must also use a hostname rather than an IP address.

• The servers referenced by these URLs must support TLSv1.2 and have valid certificates.

How do I know if my connection to Adobe Sign is secure?

We are generating reports to identify customers whose existing inbound or outbound traffic is insecure. Those customers will be notified directly.

Customers who wish to test that their server is compliant can use a variety of free or commercial tools, including the Qualys SSLLabs Server Test, to ensure that their server accepts TLSv1.2 and has a valid certificate.

Has Adobe published a list of supported methods?

Here's the table that shows all the problem cases:

Cases that will be blocked on June 20 (in Bold)

Cases that were already blocked as of April (in italics)

Cases that we will block later this year in Q3 (everything else)

Category

Request Type

Unencrypted

TLS 1.0

TLS 1.1

Bad Certificate

Inbound API Requests

All Requests

Blocked on June 20

Blocked in April 2018

Blocked in April 2018

N/A

Outbound API Requests

Document Upload Callback

Blocked on June 20

To be blocked Q3 2018

To be blocked Q3 2018

To be blocked Q3 2018

Status Callback

Blocked on June 20

Blocked on June 20

Blocked on June 20

Blocked on June 20

Is there anything else to know about the changes to encryption standards?

Status callbacks

For status callbacks, in addition to supporting TLS 1.2, the customer's server must support one of the cipher suites below: